| ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' against variable `REQBODY_ERROR' (Value: `1' ) [file "/etc/nginx/modsecurity/modsecurity.conf"] [line "44"] [id "200002"] [rev ""] [msg "Failed to parse request body."] [data "JSON parsing error: parse error: premature EOF\x0a"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "10.10.0.4"] [uri "/identity-authorization-service/api/v1/authorization"] [unique_id "15158061678.717189"] [ref "v699,1"] | |
| ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' against variable `REQBODY_ERROR' (Value: `1' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "118"] [id "920130"] [rev "1"] [msg "Failed to parse request body."] [data "JSON parsing error: parse error: premature EOF\x0a"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ" |
| https://kojipkgs.fedoraproject.org//packages/kernel/4.14.18/300.fc27/aarch64/kernel-4.14.18-300.fc27.aarch64.rpm | |
| https://kojipkgs.fedoraproject.org//packages/kernel/4.14.18/300.fc27/aarch64/kernel-core-4.14.18-300.fc27.aarch64.rpm | |
| https://kojipkgs.fedoraproject.org//packages/kernel/4.14.18/300.fc27/aarch64/kernel-devel-4.14.18-300.fc27.aarch64.rpm | |
| https://kojipkgs.fedoraproject.org//packages/kernel/4.14.18/300.fc27/aarch64/kernel-headers-4.14.18-300.fc27.aarch64.rpm | |
| https://kojipkgs.fedoraproject.org//packages/kernel/4.14.18/300.fc27/aarch64/kernel-modules-4.14.18-300.fc27.aarch64.rpm | |
| https://kojipkgs.fedoraproject.org//packages/kernel/4.14.18/300.fc27/aarch64/kernel-modules-extra-4.14.18-300.fc27.aarch64.rpm |
| ## AWS | |
| # from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories | |
| http://169.254.169.254/latest/user-data | |
| http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME] | |
| http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME] | |
| http://169.254.169.254/latest/meta-data/ami-id | |
| http://169.254.169.254/latest/meta-data/reservation-id | |
| http://169.254.169.254/latest/meta-data/hostname | |
| http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key |
One server has been compromised. The Incident Response team has acquired its image for further forensics. So, your task is reviewing this server image and develop a investigation report to answer what hacker had done on this server.
Image download link: https://drive.google.com/file/d/1DAJ0F8IbaTQQ_pqG73mE1qsJ5-ng0DCi/view?usp=sharing Access credential:
When review a Linux server, an investigator often reviews these places